On November 1,
2018, the federal government amended the Personal
Information Protection and Electronic Documents Act (PIPEDA) to add new
obligations for organizations handling personal information through their
commercial activities. Boards of condominium
corporations should be aware of some of the corporation’s activities can be
construed as commercial, thus placing condo corporations within the scope of
PIPEDA. Deliberate failure to observe
the amendments under PIPEDA may result in fines of up to $100,000 to the
Corporation, as well as potential personal liability for board members if they
do not act to address such failures.
The 2018 amendments
include:
·
Reporting data breaches to the Office of the Privacy Commissioner of
Canada (OPCC).
Reporting to the OPCC is only for security breaches where there is a real risk of significant harm to
affected individuals. The report would
include information like the number of affected individuals, when the breach
happened, the circumstances and nature of the breach, security safeguards in
place, the personal information breached, and next steps.
·
Notifying affected individuals and organizations. Organizations must notify
affected individuals as soon as possible after determining that there was a
real risk of significant harm. Notice to
the individuals need to be direct and include information like the
circumstances and the breach date, what personal information was accessed, and
how to obtain further information.
Organizations also have an obligation to notify other organizations if
it would reduce the risk of harm or mitigate the harm from the breach. If you are subject to the EU’s GDPR, then you
may need to observe specific timelines for notification.
·
Keeping records. Organizations must keep records on each security
breach regardless of whether there was a real risk of significant harm. The records should include information like
the breach date, general description, or whether the breach was reported to the
OPCC.
An eye to
privacy law is becoming increasingly important given Innovation, Science and
Economic Development Canada’s announcement this week of plans to develop a Digital Charter, which promises serious
fines for non-compliance, penalties for re-identifying anonymized data, and order-making
powers for the OPCC. Thus, even though
condominium corporations are regulated primarily under Ontario condominium law,
boards of such corporations should, at a minimum, ensure that the corporation develop
an adequate data breach plan, provide appropriate employee training, and
maintain an updated privacy policy, in order to reduce the risk of the hefty
fines relating to non-compliance with PIPEDA.
For further information or guidance, contact MDK's Kimberley Chew Leung at kimberley@businesslawadvice.com
Comments
Post a Comment